

<!DOCTYPE html>
<html class="writer-html5" lang="en" >
<head>
  <meta charset="utf-8" />
  
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  
  <title>Keycloak integration with RadosGW &mdash; Ceph Documentation</title>
  

  
  <link rel="stylesheet" href="../../_static/ceph.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/pygments.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/graphviz.css" type="text/css" />
  <link rel="stylesheet" href="../../_static/css/custom.css" type="text/css" />

  
  
    <link rel="shortcut icon" href="../../_static/favicon.ico"/>
  

  
  

  

  
  <!--[if lt IE 9]>
    <script src="../../_static/js/html5shiv.min.js"></script>
  <![endif]-->
  
    
      <script type="text/javascript" id="documentation_options" data-url_root="../../" src="../../_static/documentation_options.js"></script>
        <script src="../../_static/jquery.js"></script>
        <script src="../../_static/underscore.js"></script>
        <script src="../../_static/doctools.js"></script>
    
    <script type="text/javascript" src="../../_static/js/theme.js"></script>

    
    <link rel="index" title="Index" href="../../genindex/" />
    <link rel="search" title="Search" href="../../search/" />
    <link rel="next" title="角色" href="../role/" />
    <link rel="prev" title="STS Lite" href="../STSLite/" /> 
</head>

<body class="wy-body-for-nav">

   
  <header class="top-bar">
    

















<div role="navigation" aria-label="breadcrumbs navigation">

  <ul class="wy-breadcrumbs">
    
      <li><a href="../../" class="icon icon-home"></a> &raquo;</li>
        
          <li><a href="../">Ceph 对象网关</a> &raquo;</li>
        
      <li>Keycloak integration with RadosGW</li>
    
    
      <li class="wy-breadcrumbs-aside">
        
          
            <a href="../../_sources/radosgw/keycloak.rst.txt" rel="nofollow"> View page source</a>
          
        
      </li>
    
  </ul>

  
  <hr/>
</div>
  </header>
  <div class="wy-grid-for-nav">
    
    <nav data-toggle="wy-nav-shift" class="wy-nav-side">
      <div class="wy-side-scroll">
        <div class="wy-side-nav-search"  style="background: #eee" >
          

          
            <a href="../../">
          

          
            
            <img src="../../_static/logo.png" class="logo" alt="Logo"/>
          
          </a>

          

          
<div role="search">
  <form id="rtd-search-form" class="wy-form" action="../../search/" method="get">
    <input type="text" name="q" placeholder="Search docs" />
    <input type="hidden" name="check_keywords" value="yes" />
    <input type="hidden" name="area" value="default" />
  </form>
</div>

          
        </div>

        
        <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
          
            
            
              
            
            
              <ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../start/intro/">Ceph 简介</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../install/">安装 Ceph</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephadm/">Cephadm</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rados/">Ceph 存储集群</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../cephfs/">Ceph 文件系统</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../rbd/">Ceph 块设备</a></li>
<li class="toctree-l1 current"><a class="reference internal" href="../">Ceph 对象网关</a><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../frontends/">HTTP 前端</a></li>
<li class="toctree-l2"><a class="reference internal" href="../placement/">存储池归置与存储类</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multisite/">多站配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multisite-sync-policy/">多站同步策略配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../pools/">存储池的配置</a></li>
<li class="toctree-l2"><a class="reference internal" href="../config-ref/">配置参考</a></li>
<li class="toctree-l2"><a class="reference internal" href="../admin/">管理指南</a></li>
<li class="toctree-l2"><a class="reference internal" href="../s3/">S3 API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../rgw-cache/">Data caching and CDN</a></li>
<li class="toctree-l2"><a class="reference internal" href="../swift/">Swift API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../adminops/">管理操作 API</a></li>
<li class="toctree-l2"><a class="reference internal" href="../api/">Python 接口</a></li>
<li class="toctree-l2"><a class="reference internal" href="../nfs/">通过 NFS 导出</a></li>
<li class="toctree-l2"><a class="reference internal" href="../keystone/">与 OpenStack Keystone 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../barbican/">与 OpenStack Barbican 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../vault/">与 HashiCorp Vault 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../kmip/">KMIP Integration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../opa/">与 Open Policy Agent 对接</a></li>
<li class="toctree-l2"><a class="reference internal" href="../multitenancy/">多租户</a></li>
<li class="toctree-l2"><a class="reference internal" href="../compression/">压缩</a></li>
<li class="toctree-l2"><a class="reference internal" href="../ldap-auth/">LDAP 认证</a></li>
<li class="toctree-l2"><a class="reference internal" href="../encryption/">服务器端加密</a></li>
<li class="toctree-l2"><a class="reference internal" href="../bucketpolicy/">桶策略</a></li>
<li class="toctree-l2"><a class="reference internal" href="../dynamicresharding/">动态的桶索引重分片</a></li>
<li class="toctree-l2"><a class="reference internal" href="../mfa/">多因子认证</a></li>
<li class="toctree-l2"><a class="reference internal" href="../sync-modules/">同步模块</a></li>
<li class="toctree-l2"><a class="reference internal" href="../notifications/">Bucket Notifications</a></li>
<li class="toctree-l2"><a class="reference internal" href="../layout/">RADOS 中的数据布局</a></li>
<li class="toctree-l2"><a class="reference internal" href="../STS/">STS</a></li>
<li class="toctree-l2"><a class="reference internal" href="../STSLite/">STS Lite</a></li>
<li class="toctree-l2 current"><a class="current reference internal" href="#">Keycloak</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#setting-up-keycloak">Setting up Keycloak</a></li>
<li class="toctree-l3"><a class="reference internal" href="#configuring-keycloak-to-talk-to-rgw">Configuring Keycloak to talk to RGW</a></li>
<li class="toctree-l3"><a class="reference internal" href="#example-showing-how-to-fetch-a-web-token-from-keycloak">Example showing how to fetch a web token from Keycloak</a></li>
<li class="toctree-l3"><a class="reference internal" href="#attaching-tags-to-a-user-in-keycloak">Attaching tags to a user in Keycloak</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../role/">Role</a></li>
<li class="toctree-l2"><a class="reference internal" href="../session-tags/">Session Tags</a></li>
<li class="toctree-l2"><a class="reference internal" href="../orphans/">Orphan List and Associated Tooliing</a></li>
<li class="toctree-l2"><a class="reference internal" href="../oidc/">OpenID Connect Provider</a></li>
<li class="toctree-l2"><a class="reference internal" href="../troubleshooting/">故障排除</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../man/8/radosgw/">radosgw 手册页</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../man/8/radosgw-admin/">radosgw-admin 手册页</a></li>
<li class="toctree-l2"><a class="reference internal" href="../qat-accel/">使用 QAT 为加密和压缩提速</a></li>
<li class="toctree-l2"><a class="reference internal" href="../s3select/">S3-select</a></li>
<li class="toctree-l2"><a class="reference internal" href="../lua-scripting/">Lua Scripting</a></li>
<li class="toctree-l2"><a class="reference internal" href="../d3n_datacache/">D3N Data Cache</a></li>
<li class="toctree-l2"><a class="reference internal" href="../cloud-transition/">Cloud Transition</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/">Ceph 管理器守护进程</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../mgr/dashboard/">Ceph 仪表盘</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../api/">API 文档</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../architecture/">体系结构</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/developer_guide/">开发者指南</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../dev/internals/">Ceph 内幕</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../governance/">项目管理</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../foundation/">Ceph 基金会</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../ceph-volume/">ceph-volume</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/general/">Ceph 版本（总目录）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../releases/">Ceph 版本（索引）</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../security/">Security</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../glossary/">Ceph 术语</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../jaegertracing/">Tracing</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../translation_cn/">中文版翻译资源</a></li>
</ul>

            
          
        </div>
        
      </div>
    </nav>

    <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">

      
      <nav class="wy-nav-top" aria-label="top navigation">
        
          <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
          <a href="../../">Ceph</a>
        
      </nav>


      <div class="wy-nav-content">
        
        <div class="rst-content">
        
          <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
           <div itemprop="articleBody">
            
<div id="dev-warning" class="admonition note">
  <p class="first admonition-title">Notice</p>
  <p class="last">This document is for a development version of Ceph.</p>
</div>
  <div id="docubetter" align="right" style="padding: 5px; font-weight: bold;">
    <a href="https://pad.ceph.com/p/Report_Documentation_Bugs">Report a Documentation Bug</a>
  </div>

  
  <div class="section" id="keycloak-integration-with-radosgw">
<h1>Keycloak integration with RadosGW<a class="headerlink" href="#keycloak-integration-with-radosgw" title="Permalink to this headline">¶</a></h1>
<p>Keycloak can be setup as an OpenID Connect Identity Provider, which can be used by mobile/ web apps
to authenticate their users. The Web token returned as a result of authentication can be used by the
mobile/ web app to call AssumeRoleWithWebIdentity to get back a set of temporary S3 credentials,
which can be used by the app to make S3 calls.</p>
<div class="section" id="setting-up-keycloak">
<h2>Setting up Keycloak<a class="headerlink" href="#setting-up-keycloak" title="Permalink to this headline">¶</a></h2>
<p>Installing and bringing up Keycloak can be found here: <a class="reference external" href="https://www.keycloak.org/docs/latest/server_installation/">https://www.keycloak.org/docs/latest/server_installation/</a>.</p>
</div>
<div class="section" id="configuring-keycloak-to-talk-to-rgw">
<h2>Configuring Keycloak to talk to RGW<a class="headerlink" href="#configuring-keycloak-to-talk-to-rgw" title="Permalink to this headline">¶</a></h2>
<p>The following configurables have to be added for RGW to talk to Keycloak:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">client</span><span class="o">.</span><span class="n">radosgw</span><span class="o">.</span><span class="n">gateway</span><span class="p">]</span>
<span class="n">rgw</span> <span class="n">sts</span> <span class="n">key</span> <span class="o">=</span> <span class="p">{</span><span class="n">sts</span> <span class="n">key</span> <span class="k">for</span> <span class="n">encrypting</span><span class="o">/</span> <span class="n">decrypting</span> <span class="n">the</span> <span class="n">session</span> <span class="n">token</span><span class="p">}</span>
<span class="n">rgw</span> <span class="n">s3</span> <span class="n">auth</span> <span class="n">use</span> <span class="n">sts</span> <span class="o">=</span> <span class="n">true</span>
</pre></div>
</div>
</div>
<div class="section" id="example-showing-how-to-fetch-a-web-token-from-keycloak">
<h2>Example showing how to fetch a web token from Keycloak<a class="headerlink" href="#example-showing-how-to-fetch-a-web-token-from-keycloak" title="Permalink to this headline">¶</a></h2>
<p>Several examples of apps authenticating with Keycloak are given here: <a class="reference external" href="https://github.com/keycloak/keycloak-quickstarts/blob/latest/docs/getting-started.md">https://github.com/keycloak/keycloak-quickstarts/blob/latest/docs/getting-started.md</a>
Taking the example of app-profile-jee-jsp app given in the link above, its client id and client secret, can be used to fetch the
access token (web token) for an application using grant type ‘client_credentials’ as given below:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>KC_REALM=demo
KC_CLIENT=&lt;client id&gt;
KC_CLIENT_SECRET=&lt;client secret&gt;
KC_SERVER=&lt;host&gt;:8080
KC_CONTEXT=auth

# Request Tokens for credentials
KC_RESPONSE=$( \
curl -k -v -X POST \
-H &quot;Content-Type: application/x-www-form-urlencoded&quot; \
-d &quot;scope=openid&quot; \
-d &quot;grant_type=client_credentials&quot; \
-d &quot;client_id=$KC_CLIENT&quot; \
-d &quot;client_secret=$KC_CLIENT_SECRET&quot; \
&quot;http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token&quot; \
| jq .
)

KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
</pre></div>
</div>
<p>An access token can also be fetched for a particular user with grant type ‘password’, using client id, client secret, username and its password
as given below:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span> KC_REALM=demo
 KC_USERNAME=&lt;username&gt;
 KC_PASSWORD=&lt;userpassword&gt;
 KC_CLIENT=&lt;client id&gt;
 KC_CLIENT_SECRET=&lt;client secret&gt;
 KC_SERVER=&lt;host&gt;:8080
 KC_CONTEXT=auth

# Request Tokens for credentials
 KC_RESPONSE=$( \
 curl -k -v -X POST \
 -H &quot;Content-Type: application/x-www-form-urlencoded&quot; \
 -d &quot;scope=openid&quot; \
 -d &quot;grant_type=password&quot; \
 -d &quot;client_id=$KC_CLIENT&quot; \
 -d &quot;client_secret=$KC_CLIENT_SECRET&quot; \
 -d &quot;username=$KC_USERNAME&quot; \
 -d &quot;password=$KC_PASSWORD&quot; \
 &quot;http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token&quot; \
 | jq .
 )

 KC_ACCESS_TOKEN=$(echo $KC_RESPONSE| jq -r .access_token)
</pre></div>
</div>
<p>KC_ACCESS_TOKEN can be used to invoke AssumeRoleWithWebIdentity as given in
<a class="reference internal" href="../STS/"><span class="doc">STS in Ceph</span></a>.</p>
</div>
<div class="section" id="attaching-tags-to-a-user-in-keycloak">
<h2>Attaching tags to a user in Keycloak<a class="headerlink" href="#attaching-tags-to-a-user-in-keycloak" title="Permalink to this headline">¶</a></h2>
<p>We need to create a user in keycloak, and add tags to it as its attributes.</p>
<p>Add a user as shown below:</p>
<img alt="../../_images/keycloak-adduser.png" class="align-center" src="../../_images/keycloak-adduser.png" />
<p>Add user details as shown below:</p>
<img alt="../../_images/keycloak-userdetails.png" class="align-center" src="../../_images/keycloak-userdetails.png" />
<p>Add user credentials as shown below:</p>
<img alt="../../_images/keycloak-usercredentials.png" class="align-center" src="../../_images/keycloak-usercredentials.png" />
<p>Add tags to the ‘attributes’ tab of the user as shown below:</p>
<img alt="../../_images/keycloak-usertags.png" class="align-center" src="../../_images/keycloak-usertags.png" />
<p>Add a protocol mapper for the user attribute to a client as shown below:</p>
<img alt="../../_images/keycloak-userclientmapper.png" class="align-center" src="../../_images/keycloak-userclientmapper.png" />
<p>After following the steps shown above, the tag ‘Department’ will appear in the JWT (web token), under ‘<a class="reference external" href="https://aws.amazon.com/tags">https://aws.amazon.com/tags</a>’ namespace.
The tags can be verified using token introspection of the JWT. The command to introspect a token using client id and client secret is shown below:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">KC_REALM</span><span class="o">=</span><span class="n">demo</span>
<span class="n">KC_CLIENT</span><span class="o">=&lt;</span><span class="n">client</span> <span class="nb">id</span><span class="o">&gt;</span>
<span class="n">KC_CLIENT_SECRET</span><span class="o">=&lt;</span><span class="n">client</span> <span class="n">secret</span><span class="o">&gt;</span>
<span class="n">KC_SERVER</span><span class="o">=&lt;</span><span class="n">host</span><span class="o">&gt;</span><span class="p">:</span><span class="mi">8080</span>
<span class="n">KC_CONTEXT</span><span class="o">=</span><span class="n">auth</span>

<span class="n">curl</span> <span class="o">-</span><span class="n">k</span> <span class="o">-</span><span class="n">v</span> \
<span class="o">-</span><span class="n">X</span> <span class="n">POST</span> \
<span class="o">-</span><span class="n">u</span> <span class="s2">&quot;$KC_CLIENT:$KC_CLIENT_SECRET&quot;</span> \
<span class="o">-</span><span class="n">d</span> <span class="s2">&quot;token=$KC_ACCESS_TOKEN&quot;</span> \
<span class="s2">&quot;http://$KC_SERVER/$KC_CONTEXT/realms/$KC_REALM/protocol/openid-connect/token/introspect&quot;</span> \
<span class="o">|</span> <span class="n">jq</span> <span class="o">.</span>
</pre></div>
</div>
</div>
</div>



           </div>
           
          </div>
          <footer>
    <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
        <a href="../role/" class="btn btn-neutral float-right" title="角色" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
        <a href="../STSLite/" class="btn btn-neutral float-left" title="STS Lite" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
    </div>

  <hr/>

  <div role="contentinfo">
    <p>
        &#169; Copyright 2016, Ceph authors and contributors. Licensed under Creative Commons Attribution Share Alike 3.0 (CC-BY-SA-3.0).

    </p>
  </div> 

</footer>
        </div>
      </div>

    </section>

  </div>
  

  <script type="text/javascript">
      jQuery(function () {
          SphinxRtdTheme.Navigation.enable(true);
      });
  </script>

  
  
    
   

</body>
</html>